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Abstract 

' r- ] '■ Information reconciliation(IR) is a basic step of quantum key distribution(QK 

D). Classical message interaction is necessary in a practical IR scheme, and 
the communication complexity has become a bottleneck of QKD's develop- 
ment. Here we propose a concatenated method of IR scheme which requires 
only one time one-way communication to achieve any given error rate level. 
A QKD scheme with the concatenated IR can work without the special in- 
teractions of error rate estimation. 
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1. Introduction 

After physical signal transmission, unconditionally secure key distribu- 
tion protocol d 3 can be divided into three parts: advantage distillation |3J, 
information reconciliation(IR) [3] and privacy amplification p^,!?]]. Quantum 
key distribution(QKD) is a mature unconditionally secure key distribution 
scheme with three phases: quantum signal transmission, raw key distilla- 
tion(or advantage distillation), and classical data post-processing. IR is a 
basic step of classical data post-processing. Several IR protocols have been 
presented. In 1992, Bennett et al.jg] proposed an IR protocol called Binary. 
Binary is simple and easy to operate, but it needs frequent interactive com- 
munication. It cannot find even errors in a block. In 1993, Brassard et al. H 
proposed an IR protocol called Cascade, which can correct two errors in a 
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block. Though its error correction ability is stronger than Binary, its com- 
putation and communication complexity is bigger. In 1999, Biham et al. lol 
proposed an IR scheme based on syndrome error correction. After that, May- 
ers et al. 11] proposed an IR scheme based on error correcting code. Yang et 
al. 12] suggested a key redistribution scheme for IR. These three IR protocols 
are non-interactive ones. In 2003, Buttler et al. 17] proposed a IR scheme 
called Winnow. The number of the error correction rounds of Winnow is 
fewer than Binary and Cascade, but the error correction ability is limited. 

It is clear that an IR needs to employ multi-round error correction to 
make the error rate arrive at an acceptable level in a practical QKD sys- 
tem. Since the problem an IR protocol deals with is not the errors of a bit 
string, but the bit inconsistence between two bit strings, we cannot use the 
well known concatenating error correction code directly. Binary, Cascade, 
and Winnow are all multi-rounds protocols. They adopt interactive commu- 
nication to achieve an acceptable error rate level. However, the interactive 
communication causes extra time consuming, and becomes a bottleneck of 
the QKD's development. The non-interactive IR protocols such as that pre- 



sented in [lOj, [ll|, |12] are all one round error correction. They cannot achieve 



the practically acceptable low error rate. Thus it is necessary to construct 
new IR protocol. Here we propose a concatenating procedure for IR. The IR 
protocols designed based on this idea can reduce the error rate to any given 
level via only one time one-way communication, then they may improve the 
efficiency of a QKD's post-processing. 

The techniques used in the construction of concatenated IR schemes are 
introduced in Sec. 2. Some selection criterias of the error correction code in 
the concatenated method under a certain error rate of the channel is given 
in Sec. 3. The construction method of a concatenated IR scheme with three 
examples is given in Sec. 4. Some discussions and the conclusion are given in 
Sec. 5 and Sec. 6, respectively. 



2. Preliminaries 

2. 1 . Wire link permutation 

Wire link permutation(WLP) is a simple and fast digital circuit bit- 
permutation technique, without the help of gate circuits. There are many 
different WLPs. We can see that, in an IR protocol, it is necessary to do a 
random bit-permutation between any two successive error correction rounds. 
The permutation used in an IR protocol should be as uniform as possible, 
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that means the bits in a block should be dispersed uniformly into different 
blocks after a permutation. A proper WLP is shown in Fig. f . 
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Figure 1: The wire link permutation W adopted in our scheme. 



We can see that after the permutation W the first bit of the first block 
(an,ai2, ...,a ln ) is put in the first position in the new round; The first bit 
of the second block (a,2i, 0,22, o-2n) is put m the second position in the new 
round, etc.; Go on like this until the last block (a m i, a m 2, a mn ): the first 
bit a m \ is put in the m th position in the new round, etc.. 

The WLP should be done between each pair of successive error correction 
rounds. The i th permutation W l is as follows, 
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We can rearrange the data string (a^ , a^ , • • • , a^, (% , a 22 , • • • , a 2 „, • • • 
• • • , a^\, a^ 2 , • • • , amn) into a matrix as 
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It can be seen that every row is a codeword before the permutation, and 
every column is a codeword after the permutation. Since the changes 
the rows to the columns, it is just a transpose operation of the matrix A®. 
Thus, 

w (1) = ■■■ = w {€) = ■ ■ ■ = w, 
w- 1 = w. 
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2.2. Non-interactive IR schemes 

There are three kinds of non-interactive IR schemes. The first one is the 
syndrome IR scheme 1(J. In this scheme, Alice sends syndromes to do error 



correction. Bob uses the equation sa © sb = H(K A © K B ) to correct his 
raw key Kb to Alice's raw key Ka- The second one is the IR scheme of 



Mayers [ll|]. In this scheme, Alice encodes a local random string x to get 
the codeword c, and uses her raw key Ka to do one time pad with it to get 
c © Ka- Then she sends it to Bob. Bob adds his raw key K B to it to get the 
(c © Ka) © Kb = c © e, and decodes it to get the codeword c. Then he adds 
it to the receiving c © Ka to get Ka- The third one is the key redistribution 
scheme [l2|. The basic idea of this scheme is: Alice first encodes a local 
random bit string with an error correcting code, then she uses her raw key 
to do one time pad with the codeword and transmits it to Bob. Bob adds 
his raw key to the received bit string and decodes the error correcting code 
to get Alice's local random bit string, then takes it as the secret key between 
them. The whole protocol can be summarized as follows. 

1. Alice generates a random bit string x. 

2. Alice uses a generator matrix g to encode x and gets the code word c, 
where g is a globe public parameter. 

3. Alice uses the raw key K a to do bitwise XOR operation with the code 
string c to get K a © c. Then she transmits it to Bob. 

4. Bob does the same operation to the received string with K^ and gets 
(c © K a ) © K b = c © e. He uses check matrix h and c © e to calculate 
the syndrome s. Using s, he gets the error vector e and the codeword 
c. Then he gets the random bit string x by decoding c, and takes it as 
the secret key between them. 

If the generator matrix is kept secret, the key redistribution protocol may 
generate a secure final key. It can also realize group oriented key distribu- 
tion, personal identification, and message authentication for non-broadcast 
channel via key-controlled error-correcting code. Thus the key redistribution 
protocol may realize the IR and the privacy amplification in one step. 



2.3. Classical message authentication using CRC-based MAC} 13. \l4j 

CRC-based MAC designed for stream cipher is a scheme with information- 
theoretic security based on cyclic redundancy code(CRC). LFSR can be used 
to realize rapid polynomial division in a CRC authentication scheme. This 
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kind of authentication scheme can authenticate large amount of messages 
by consuming a few bits of the key. For this reason, we suggest using it to 
authenticate the classical channel of QKD. The CRC based authentication 
scheme is as follows. 

Denote the n bits message to be authenticated as M. Make M = 
M n _ 1 ...M 1 M and the polynomial M(x) = Y17=o ^i x% associated. Denote 
the CRC hash function as h, and the MAC value as aut. The output of h is 
an m bit string. 

1. Alice and Bob secretly preshare a binary irreducible polynomial p(x) 
of degree m, and a m-bit random string K as their one time pad key. 

2. Alice calculates h(M) = coef(M(x) ■ x m mod p(x)) . 

3. Alice gets the m-bit aut of M by calculating h(M) © K. 

4. Alice sends aut and M to Bob 

5. Bob uses the received M' to calculate a aut", and checks whether it is 
equal to the aut' he received. 



The successful attack probability is S^[13| for any n and m > 1. 



2-4- Hamming code ! la] 

[n, n — k, 3]Hamming code over F2 with n = 2 h — 1 has fast error correction 
algorithm for its special structure. Given a serial number from 1 to n to 
denote the position of each bit in a codeword. The check bits are inserted 
into 2 l th positions, where < I < k. The left positions are information bits. 
Its generator matrix is obtained by exchanging the 2 th column with the 
(n — l)th column of the corresponding systematic code respectively, where 
< I < k. The decoding method is multiplying the receiving bit-string with 
the parity check matrix to get the syndrome s — (si, Sk), then the binary 
number (si...Sk)^ indicates just the position of an error bit in the codeword. 

Consider of the fast decoding algorithm of Hamming code, we choose it as 
the error-correcting code to be concatenated in our concatenated IR scheme. 



3. Some selection criteria of concatenated IR schemes 

Usually, after one error correction round, we can hardly reduce the error 
rate to an acceptable level, thus we have to do more error correction rounds. 
Binary, Cascade and Winnow include multi-round error correction, and need 
a parity check before every round to determine whether a block needs to be 
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corrected. The necessary interactive communication makes the efficiency of 



these protocols decreased. The original scheme of Biham 10[, Mayers[ll| and 



key redistribution |12| employ only one- round error correction, which cannot 
reduce the error rate to an acceptable level in practical system. In order 
to realize both one time one-way communication and an acceptable error 
rate level simultaneously, we suggest a concatenating method of IR. All the 
three one round IR protocols can be reconstructed based on this idea. In 
this section, we will prove some selection criteria for choosing the number of 
round and the error correcting code under a given error rate of the channel. 



Definition 1[16|. Let C be a linear code of length n and let A{ be the 



number of codewords of weight i, then 

n 

A(z,n):^J2 A i zi ( 2 ) 

i=0 

is called the weight enumerator of C. The sequence (Ai)™_ is called the 
weight distribution of C. If C is linear and c £ C, then the number of 
codewords at distance i from c equals Ai. 

For binary Hamming code of length n, the weight enumerator 

A(z,n) = £ V = —t(1 + *T + -^t(1 + 3)^(1 - (3) 
z — ' n+l n + 1 

It should be noticed that, for Hamming code, n = 2 k — 1 is an odd number. 
From Eq.(3), compare the polynomial coefficients of the two sides of Eq.(3), 
we get that A\ = A 2 = A n _ 2 = A n _i = 0, and all other coefficients are 
non-zero integers. For example, for the code [7, 4, 3], n = 7, we get A(z, 7) = 
l + 7z 3 + 7z 4 + z 7 . For the code [15,ll,3],n= 15, we get A(z, 15) = l + 35z 3 + 
105^ 4 + 1682 5 + 28(k 6 + 435^ 7 + z 15 + 35z 12 + 105^ n + 168^ 10 + 280^ 19 + 435^ 8 . 
According to Eq.(2), we calculate the weight distribution (Aj)™ =0 of Ham- 
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ming code of length n. 

1/ ft , < n — 1 , . n + l 

A(z,n) = l + ^+ l + ^l-^ 
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Compare the coefficients with A(z,n) = Ylk=o^ z > we S e ^ 



n+l n+l 



Definition 2[16|. Let C C Q" be a code with M words. We define 

A ■= M- X \{{x,y)\x 6 C,y e C,d(x,y) = (5) 

The sequence (Ai)f =0 is called the distance distribution or inner distribution 
ofC. 

Note that if C is linear, the distance distribution is weight distribu- 
tion. Thus, for Hamming code, the weight distance and the distance dis- 
tribution are the same. With the weight distribution of Hamming code 
calculated in Eq.(2), we get that its distance distribution is (A k )^ =0 , here 

A k = ^TiC k n + ^i(-^c\^k = 0, 1, • • • ,n. This means, for any Ham- 
ming code c of length n, the number of the codewords at distance i from c is 
Ai,i = 0,1,- •• ,n. 

Suppose using Hamming code of length n, bit error probability is p, the 
expected number of errors per block before decoding is np. 

(a) If one error occurs, the number of error bits is zero after error correc- 
tion. 

(b) If k, (2 < k < n — 1) errors occur, there are two situations when 
executing error correction: 
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1. The k errors turn one codeword into another codeword. In this situa- 
tion, we cannot use error- correcting code to correct any bit of errors. 
There are still k errors after error correction. For any Hamming code- 
word c of length n, the number of the codewords at distance k from c 
is A k . Thus, the probability of this situation is A k p k (l — p) n ~ k . This 
means there will be still k errors with probability A k p k (l — p) n ~ k after 
error correction. 

2. The k errors do not turn the code into another code. In this situation, 
the error correction may correct only one error to reduce the number 
of error to k — 1. But also, this may cause a new error to increase the 
number of error to k + 1. This means we can get a new codeword at 
distance k — 1 from codeword cor a new codeword at distance k + 1 
from codeword c. For any codeword c, the number of the codewords 
whose distance with cisA; — lorfc + 1 are separately A k -±, A k+ \. Thus, 
after error correction we can get one of the A k _i + A k+ i codewords. 
Suppose each codeword can be gotten with the same probability in the 
error correction. After error correction the probability of reducing the 
error number to k — 1 is . Ak r] — , and the probability of increasing 

the error number to k + 1 is Afc 1 ^ fc+1 - The probability that k errors 
do not turn the codeword c to another codeword is (C k — A k )p k (l — 
p) n ~ k because the number of the codewords at distance k from c is 
A k . Thus, the probability that k errors cannot turn a codeword to 
another codeword and the number of errors is reduced to k— 1 is (C k — 
Ak) A k — p) n ~ k . The probability that k errors cannot turn 

a codeword to another codeword and the number of errors is increased 
to k - 1 is (C k - A k ) Ak A ^ k+i p k (l -pT- k . 

(c)When n errors occur, for A n — 1, this means the number of the 
codewords at distance n with c is 1. The length of the codeword is 
n, thus if all of the n bits are wrong, there is only C™ = 1 situation. 
Thus n errors can only turn a codeword to another codeword. In this 
situation after error correction there are still n errors. The probability 
of this situation is p n . 

From the above analysis, we can calculate the mathematical expectation 
of the errors in each block after error correction. Let the bit error probability 
is p\ after error correction. Thus after error correction the mathematical 
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expectation of errors in each block is np\. 

,k - A,) 

Ak-i + A k+ i 



n-1 . 

npi = J2i kA kP k ^-p) n - k + (k-l)(C k n -A k )- J±_/(l- p )-* + 



k=2 

(k + l)(C k n - A k ) Ak +\ p k (l - P r~ k ] + n P - 

Y}kA k + (C k - A k ) {k - 1)A ;- 1+ J* + 1)Ak+1 ] P k (l - pf- k + nA nP « 

X>A fe + (<7* - A k )(k + - p)- fc . (6) 



fc=0 



Here, denote A_i = 0, A n+ i = 0. When = A fc _i = 0, denote A . k+1 , A A k 1 = 
0. 

From the above equation, we can get 

n A - A 

n Pl = - A*) ? +1 , 7" 1 + kC k ] P k (l - pY~ k 

t^o Ak ~ x + Ak+1 

= B<% - A k) A ' +1 " ^ Y (l - p)- fc + np. (7) 
Thus, p\ < p equals the following equation 

J2(C k - A k ) Ak+l Ak -' p\l-pY- k < 0. (8) 

fc=0 fe 1 

For the Hamming code of length n = 7, we have 

7 Pl = 63p 2 - 182p 3 + 210p 4 - 8Ap 5 . 

Pi = 9p 2 - 26p 3 + 30p 4 - 12p 5 . (9) 

From pi < p, we get 

< p < 1(3 - >/3), or 1 < p < 1(3 - >/3). (10) 



9 



This means we can use error-correcting code to reduce the error rate 
if and only if the bit error probability p satisfies < p < |(3 — v3) or 

i<p<|(3- v / 3). 



pi -p 




Figure 2: The error rate after error-correction p\ varies with the inial error rate p 
when n = 7. 

From Fig. 2 we can see there are five points of intersection between the 
curve and X-axis. They are 0, |(3 — v^), §, |(3 — -\/3), 1- If the p is in 
the interval [|(3 — a/3), |, |(3 — v3)]> Pi will go forwards to \ after error 
correction. In this situation we cannot correct the errors. The interval of p 
where we can use this code is [0, |(3 - sfS)\ and [|(3 - 1]. 

The error rate after error-correction pi varying with the inial error rate p 
when ?7, = 15 is as Fig.2. 



p\ -p 




Figure 3: The error rate after error-correction p\ varies with the inial error rate p 
when n = 15. 
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Compare Fig. 3 with Fig. 2 we can see the effective interval of Hamming 
code [15, 11, 3] is less than that of Hamming code [7, 4, 3]. 

Lemma 1. Let C be the [n,n — fc,3] Hamming code over F2, where 
n = 2 k — 1. Suppose the upper bound of the average number of errors within 
per block after one error correction round with C is \i then we have 

x = 1 + np - 2p n - (1 - p + 2np){l - p) n ~\ (11) 

where p is the bit error rate of the channel. 
Lemma 2. x < n ( n ~ l)p 2 [l + |(1 ~ p) n ~ 2 }. 

Theorem 1. When C is used as the error correcting code, if bit error 
rate p satisfies the condition p < -. — 1 , M ■ l M — rr-^rr, then the concatenated 
error correction scheme can achieve any given error rate level. 

Corollary 1. If bit error rate p < p t h = ' ^ ne conca t ena ted error 

correction scheme can reduce the error rate to any given level. 

Table 1 and 2 show the concatenating results based on Eq.(8), which are 
useful for choosing the proper error correcting code and the concatenating 
depth I. Parameter rj is the information rate of the concatenated IR al- 
gorithm, a is the final error rate of the concatenated IR algorithm. It is 
required that after I rounds error correction the final error rate a should 
be below 1 x 10~ 9 . According to this criterion, the required error correc- 
tion round I and the final left bit rate are determined. The results based 
on Hamming code [15,11,3] and [7,4,3] are given in Table 1 and Table 2, 
respectively. 



Table 1: Concatenated IR based on [15,11,3] code, p represents the channel error rate. 
I represents the needed error correction rounds, a represents the final error rate, rj 
represents the left bit rate. 



V 


0.01 


0.02 


0.04 


0.05 


0.06 


0.07 


0.08 


I 


4 


5 


6 


7 


8 


9 


11 


n 


0.289 


0.212 


0.156 


0.114 


0.084 


0.061 


0.024 


a 


3.58xl0~ 13 


2.59xl0~ 15 


1.77xl0~ 12 


2.72xl0~ 14 


8.86X10 -15 


2.35X10" 11 


2.04xl0~ 11 



If the channel error rate p, the final error rate a and the error correcting 
code are given, the concatenating depth I will be determined. 



4. The construction of concatenated IR schemes 

Based on the selection criteria given in Sec. 3, three IR scheme 1^, 11, 12 
are constructed with the concatenating method as follows. 
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Table 2: Concatenated IR based on [7,4,3] code, p represents the channel error rate. 
I represents the needed error correction rounds, a represents the final error rate. 77 
represents the left bit rate. 



p 0.05 0.07 0.09 0.10 0.12 0.13 0.14 

( 5 5 6 6 7 7 8 

17 0.061 0.061 0.035 0.035 0.020 0.011 0.011 

a 5.22X10 -14 5.93X10 -10 1.20xl0~ 12 1.74xl0~ 10 1.66X10 -12 6.96X10 -10 1.04xl0~ 13 



I. Firstly we consider the reconstruction of Biham's syndrome error cor- 
rection protocol (lo|. Follow Winnow (l7|. we choose [n, n — k, 3] Hamming 
code. Currently a typical error rate for a QKD IR protocols to deal with is 
less than 5%. According to Theorem 1, we can choose [15, 11, 3] Hamming 
code as the basic code, whose error correction ability is 6.7%. The protocol 
is as follows. 

1. Alice divides the raw key string into 15-bit length blocks and then 
performs the permutation W on it. Alice calculates the syndromes s^-, 
and discards the check bits of each block, here i is the serial number of 
the block, and j is the serial number of the round. Alice repeats above 
operations from j — 1 to j — I, to get the syndromes s^, ...,s^,i = 
1, ■ • • , n, where I is the predetermined number of the correction rounds. 
The Alice's final bit-string is the common random string to be privacy 
amplified. 

2. Alice takes the syndromes s^}, s^, (i — 1, • • • , n) as her message 
to be sent. She uses CRC authentication algorithm to calculate the 
MAC of the message and sends the MAC and the message to Bob. 

3. After receiving the sequence s^! , s^j, s^, Bob uses the CRC authen- 
tication algorithm and the one time pad key K to check whether the 
message is coming from Alice and has not been changed. If the authen- 
tication is passed, Bob uses the wire link permutation W to transform 
his raw key and calculates the syndrome of every block. Then he 
calculates the i th syndrome = s^J © s^], and does error correction 
to the i th block, % = 1, • • • , n. After the error correction of the first 
round he discards all the check bits. Bob repeats above operation to 
get the syndromes sf\i = 1, • • ■ , n and performs error correction from 
j — 1 to j — I. Finally he gets the key of Alice after / rounds error 
correction. 
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Suppose the initial error rate is 3%. According to the criteria in Sec. 3, 
we get the upper bound of the final error rate and the final bit rate after 
each error correction round, as shown in Table 3. 

Table 3: The upper bound of error rate based on Lemma 1 and the left bit rate after each 
error correction round. Suppose channel error rate is 3%. The chosen code is Hamming 
code [15, 11, 3]. The data in this table are the upper bound of error rate and left bit rate 
after i rounds error correction, 1 < i < 6. 



Round 


1 


2 


3 


4 


5 


6 


Error Rate 


1.53XKT 2 


4.40 xKT 3 


3.93xl0~ 4 


3.23 xl0~ 6 


2.20 xlO" 10 


5.92 xl0~ 17 


Left Rate 


0.733 


0.538 


0.394 


0.289 


0.212 


0.156 



The concatenating depth / in the protocol is determined by a given final 
error rate. Table 3 shows that when the concatenating depth / is 5, we can 
get an error rate under 1.0 x 1CT 9 with a left bit rate 0.212. 

II. The original key redistribution protocol can be reconstructed as fol- 
lows. 

1. Alice generates a random string and divides it into blocks with 
length 11, = (r^,--- , r^V). She uses the [15, 11, 3] Hamming 
code to encode each block and gets = (c^, ■ • ■ , Cn}), and then uses 
the wire link permutation W to rearrange She divides it again 
into blocks with length 11, = (r^\--- , r^). Executing those 
operations / rounds, she gets the codeword string = (cf \ • • • , ci])- 
There is no permutation in the last round. The above process can be 
written as 

C^P^Q-i ■■^C 2 [P l [C l {rf )]]]■■■ ]] = c^ l \ 

where Pi is the i th round wire link permutation W, Ci is the i th round 
encoding with [15, 11,3] code. 

2. Alice uses her raw key K\ to xor bit by bit with the codeword string 

and gets K A © c®. It is the message to be sent. She uses CRC 
authentication algorithm to calculate the MAC of the message, and 
sends the MAC and the message to Bob. 

3. Bob uses the CRC authentication algorithm to check whether the mes- 
sage has been changed. If the authentication is passed, Bob uses his raw 
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key Kb to do xor bit by bit with the received codeword string and gets 
(Ka © c®) © K B = © e. Bob decodes it and does the inverse wire 
link permutation W~ l = W. He repeats above operations round by 
round, and gets r$ finally. Here we require Wh( - t b^® t a ) < i o x 10~ 9 . 

\ r A I 

The concatenating depth I is also 5 according to Table 3. 

III. The concatenated version of Mayer's ECC-based IR protocol is as 
follows. 

1-3. The same as that of the key redistribution protocol. 
4. Bob uses the r$ to do concatenated encoding just as Alice has 
done to get 

c^ = C l [P l ^[C l ^---[CmCi(r^M ■■■]], 

and gets the K' A by calculating (Ka © c®) © c ,<yl \ Here we require 
W "(W*> < 1.0 x 10- 9 , that means ^gf^ < 1.0 x 10~ 9 . 
The concatenating depth I is also 5 according to Table 3. The step 4 
shows that the concatenated ECC-based IR protocol needs to do an extra 
concatenated encoding. In step 3, Bob uses his raw key Kb to do xor bit 
by bit with the received sequence and gets (Ka © c^) © Kb = © e. He 
gets gradually all the vectors e^, e^ -1 -*..., e^, c B \ c B ~ l \ and r$ in the 

end. His purpose is getting Ka, so he should get e and then get d^ l \ because 
he can get K A by adding it to the receiving string K A © c®. However, using 
e (0 5 e ('-i) , ^ e (i) to reconstruct e is too complicated to be finished generally. 
Thus he has to do the step 4 to get the d^ l \ and then to get the K' A . Thus we 
can see that the key redistribution protocol is more suitable than the ECC 
based IR protocol for being reconstructed into a concatenated form. 

5. Discussions 

Concatenated IR scheme can reduce the error rate to any given level if 
and only if every error correction round makes the error rate lower. Thus, 
if the error rate of the channel satisfies Eq.(8), after a few error correction 
round, we can arrive at an error rate less than the given value. We choose the 
complete Hamming code [2 k — 1, 2 fc_1 — 1 — k, 3] to do this because of their 
rapid decoding algorithm. The result shows that the error rate decreases 
exponentially with the concatenated depth. 
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Error rate estimation via public channel is another basic step of QKD. It 
is usually an interactive process. We can leave it out by using concatenat- 
ing IR scheme. For a given error rate of the raw key, after the first round 
syndrome calculating, the rate of non-zero syndromes should be less than a 
threshold, e.g., if the given error rate is p, the non-zero rate of syndromes 
of the first error correction round is less than (1 —p) n . If the rate is beyond 
this threshold, Bob simply informs Alice to give up this packet. Otherwise, 
Bob continues his process. In QKD, after the base sifting step, the classical 
data post-processing, together with error estimation using our method, can 
be constructed into a single protocol with almost one-way classical commu- 
nication. 

We can see that there are at least three interactions in a BB84 QKD 
protocol. The first one is quantum signal transmission from Alice to Bob; 
The second one is measurement information transmission from Bob to Alice: 
Bob informing Alice the positions of qubits received and the bases of his 
measurement; The third one is a classical packet from Alice to Bob: a bit 
string representing the positions of raw key bits she selected, and a sequence 
of syndromes, Alice puts them in a packet and sends it to Bob. Then Bob 
does the error rate check and the post-processing described above. If Bob 
finds the non-zero rate of syndrome is bigger than (1 —p) n , he has to do the 
fourth interaction to inform Alice abandoning that packet. 

The concatenated IR method cannot reduce the information leakage rate. 
Because the adversary cannot predict the positions of his eavesdropped bits 
in the raw key, the eavesdropped bits are uniformly located in both the in- 
formation digits and the check digits of the raw key's codewords. After each 
error correction round, the left bit string is permuted by wire link permu- 
tation. Thus the left leaking bits will be uniformly distributed in both the 
information digits and the check digits of the next round's blocks. Suppose 
the eavesdropping rate of the adversary is rj. After abandoning the check 
bits in each error correction round, the length of the block is decreased from 
n bits to k bits. After I rounds error correction, there are (^) l r]n bits infor- 
mation leakage left. Thus, after / rounds reconciliation, the final information 
leakage rate is still rj, and the parameters of privacy amplification remains 
the same. 
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6. Conclusion 



we suggest a concatenating way to improve the efficiency of IR schemes, 
and construct three one-way concatenated IR schemes for QKD. The IR 
schemes designed based on this idea can work with only one time one-way 
communication and achieve any given error rate level, thus may improve the 
efficiency of a QKD's post-processing. In addition, a QKD scheme with this 
kind of IR may omit a special interaction of error rate estimation. 
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Appendix A. The derivation of Eq. (8) 





(-i)^ciM 



2 



(A.l) 



n + 1 



2 



Ak-i + Ak+i 



+ ^(-i)^rix J - ^ct 1 - ^(-i)^cix J 

c k n +i - ct 1 + n(-i)^i(ctr J + cir J ) 



2 2 



C k n +l + Ct 1 + n(-l)^l(dT J - ciT J ) 



2 2 



A + B 
C + D' 



(A.2) 



Here, 



A 




(k + l)\(n - k - 1)\ (k - l)\(n — k + l)\ 
n 2 + n — 4k 



) 



ik+l 
n-1 



(n- k- l)(n- k)(n- k + l) : 



(A.3) 
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b = I (0-1) 

= (-D^clf J , (A.4) 



(fc + l)!(n - A; - 1)! (A; - l)!(ra - k + 1)!' 



, fc+1 rz 2 + n + 2k 2 - 2k 



n - l {n-k-l){n-k){n-k + iy 1 ' ' 



1 n+l _ | fc+1 I _ I fc+1 I 

1 2 J -LMlj!("±l_ |_*±ij)i 



(-l)^(dff J -2dX J ) 

2 2 

i 4 , + 1 
n + 



-^CT^—^D- (A.6) 
2 n + 1 z 



Thus, 



^U+i — ^U-i 



C7*+ 1 -C7*- 1 + n(-l)r^lC7^ 



2 
+ 1 
2 



^ + Ak+1 + Ct 1 + n(-l) W ciX J (1 " 7+7 L¥J ) 

2 

Here, 



,(A.7) 



wc+i , ^fc-i _ r ik+i n 2 + n 2nk + 2A; 2 
' » ' » - ! - n 2 + 2n + l-A; ' 



^-yfc+1 r~ik— 1 



n+l— 7- — - -,--7- ( A - 8 ) 



(k + l)\(n - k - 1)\ (k - l)!(n -fc+1)! 



n! 



(ib + l)!(n-jfc + l)! 



[(ra-Jfc + l)(ra-fc)-(fc + l)Jfe] 



Appendix B. The proof of Lemma 1 

Proof. Hamming code can correct one-bit error without failure. When 
there are more errors, the correction process may add 1 bit error. Here we 
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consider the upper bound of the average number of errors, thus we assume 
the number of errors will increase by 1 after error correcting. When there are 
n bits errors, the number of errors will be reduced by 1 after error correction. 
Then 



n-l 



x = J> + fc)c*p*(i - P ) n ~ k + (n - i)cy n 

k=2 

n 

= ^2(l + k)C k n p k (l-p) n - k -2p n (B.l) 

k=2 

n 

= ^(1 + k)C k n p k {\ - p) n ~ k - 2p n - (1 - p) n - 2np{\ - p) n -\ 



k=0 



By the identity X]fc=o kC k p k (l — p) n k = np, we have 

x = 1 + np - 2p n - (1 - p) n_1 (l - p + 2rap). (B.2) 



Now let us consider the upper bound of x- 

Appendix C. The proof of Lemma 2 
Proof: From the Eq.(B.2), we have 

n-l 

x<j2^ + k)c k p k (i- P r- k 

k=2 

n 

= £(i + fe)c?y (i - P ) n -* + 3cy (i - p)™- 2 . 

fc=3 



□ 



(C.l) 
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By the inequality (16J (1 + k)C k n < n{n - l)C k Z 2 2 (k > 3), it holds that 

n n 

E(l + k)C k n p\l - p) n - k < n(n -1)J2 C k n Zlp\l - p) n ~ k 

k=3 k=3 

n, 

-i)p 2 E c - 2 v- 2 (i-pr fc 



n(n 



n(n 



k=3 
n-2 

n-2-k 



(C.2) 



ib 2 E c "-^(i-p) 

k=l 

n(n - l)p 2 [l - (1 -p) n - 2 ]. 



Thus we obtain 

X < 2cy\\ - (i - p) n - 2 } + scy (i - py~ 2 

= n(n-l)p 2 [l + ±(l-p) n - 2 ]. ( °' 3) 



□ 



From the Lemma 2, it holds that 



3ra(ra-l) 2 3/ ,2 



x < — ^ — V < 2 W • ( c - 4 ) 

Appendix D. The proof of Theorem 1 

Proof. Denote pi as the error rate after one error correction round. From 
the definition of we know pi < -. It is clear that the concatenated error 
correction scheme can reduce the error rate to any given level, if and only if 
Pi < p. Because p\ < -, p\ < p holds if - < p. From Lemma 2, - < p holds 
if n(n - l)p 2 [l + \{l -p) n - 2 } < np. That is 

1 

P< (n-l)[l + i(l-J9)^ 2 ]' (D,1) 

□ 

Appendix E. The proof of Corollary 1 

2 < , ' ,^ <A. m 



3(n-l) (n-l)[l + ±(l-p)™- 2 ] n-1 
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Thus, when p < 3 ^_^ , the condition Eq.(D.l) holds. Let p t h = 3 ^-i) ■ Thus 
if p < pth, according to Theorem 1, the concatenated error correction scheme 
can reduce the error rate to any given level. □ 
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